Fortinet black logo

Administration Guide

Home FortiEDR/XDR 5.2.0 Administration Guide

Threat Hunting data retention

5.2.0
6.2.0
6.0.0
5.2.1
5.2.0
5.1.0
5.0.0
4.2.0
4.1.1
4.1.0
Copy Link
Copy Doc ID 30b84173-e130-11ec-bb32-fa163e15d75b:177977
Download PDF

Threat Hunting data retention

Because the size of the Threat Hunting Repository database is limited, the data that is written to it is overwritten in a cyclical manner when it gets full.

Therefore, the amount of time that the data is retained is dependent upon –
  • The size of the repository database.

    – AND –

  • The amount of data that is collected.
The amount of data that is collected is dependent upon –
  • The Threat Hunting Data Collection Profiles, which is defined in SECURITY SETTINGS > Threat Hunting > Collection Profiles

    – AND –

  • The Threat Hunting Data Collection Exclusions, which is defined in SECURITY SETTINGS > Threat Hunting > Collection Exclusions
In order to extend the data retention period, you can –
  • Increase the size of the repository database by purchasing additional Threat Hunting Repository add-ons.

    – AND/OR –

  • Reduce the amount of data that is collected, by either defining the Collection Profiles (so that they collect less data) or defining more Collection Exclusions (so that they exclude more data), as described above.

Regarding Threat Hunting Collection Profiles, switching from the Inventory Scan Profile typically reduces data retention by at least 50% and switching to the Comprehensive Profile typically reduces data retention by an additional 50%.

To see an estimate of the Threat Hunting data retention:
  • Select ADMINISTRATION > LICENSING and look next to the Threat Hunting row.

    – OR –

  • Select SECURITY SETTINGS > Collection Profiles. The data retention period is displayed in the top left corner.
Previous
Next

Threat Hunting data retention

Because the size of the Threat Hunting Repository database is limited, the data that is written to it is overwritten in a cyclical manner when it gets full.

Therefore, the amount of time that the data is retained is dependent upon –
  • The size of the repository database.

    – AND –

  • The amount of data that is collected.
The amount of data that is collected is dependent upon –
  • The Threat Hunting Data Collection Profiles, which is defined in SECURITY SETTINGS > Threat Hunting > Collection Profiles

    – AND –

  • The Threat Hunting Data Collection Exclusions, which is defined in SECURITY SETTINGS > Threat Hunting > Collection Exclusions
In order to extend the data retention period, you can –
  • Increase the size of the repository database by purchasing additional Threat Hunting Repository add-ons.

    – AND/OR –

  • Reduce the amount of data that is collected, by either defining the Collection Profiles (so that they collect less data) or defining more Collection Exclusions (so that they exclude more data), as described above.

Regarding Threat Hunting Collection Profiles, switching from the Inventory Scan Profile typically reduces data retention by at least 50% and switching to the Comprehensive Profile typically reduces data retention by an additional 50%.

To see an estimate of the Threat Hunting data retention:
  • Select ADMINISTRATION > LICENSING and look next to the Threat Hunting row.

    – OR –

  • Select SECURITY SETTINGS > Collection Profiles. The data retention period is displayed in the top left corner.
Previous
Next